- Description
- Setup - The basics of getting started with kubernetes
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- License
- Development - Guide for contributing to the module
- Examples - Puppet Bolt task examples
This module installs and configures Kubernetes which is an open-source system for automating deployment, scaling, and management of containerized applications. For efficient management and discovery, containers that make up an application are grouped into logical units.
To bootstrap a Kubernetes cluster in a secure and extensible way, this module uses the kubeadm toolkit.
Install this module, generate the configuration, add the OS and hostname yaml files to Hiera, and configure your node.
Included in this module is Kubetool, a configuration tool that auto-generates the Hiera security parameters, the discovery token hash, and other configurations for your Kubernetes cluster. To simplify installation and use, the tool is available as a Docker image.
If Docker is not installed on your workstation, install it from here.
The Kubetool Docker image takes each parameter as an environment variable.
Note:: The version of Kubetool you use must match the version of the module on the Puppet Forge. For example, if using the module version 1.0.0, use puppet/kubetool:1.0.0.
To output a yaml file into your working directory that corresponds to the operating system you want Kubernetes to run on, and for each controller node, run either of these docker run commands:
docker run --rm -v $(pwd):/mnt --env-file env puppet/kubetool:{$module_version}The docker run command above includes an env file which is included in the root folder of this repo.
docker run --rm -v $(pwd):/mnt -e OS=ubuntu -e VERSION=1.10.2 -e CONTAINER_RUNTIME=docker -e CNI_PROVIDER=cilium -e CNI_PROVIDER_VERSION=1.4.3 -e ETCD_INITIAL_CLUSTER=kube-control-plane:172.17.10.101,kube-replica-control-plane-01:172.17.10.210,kube-replica-control-plane-02:172.17.10.220 -e ETCD_IP="%{networking.ip}" -e KUBE_API_ADVERTISE_ADDRESS="%{networking.ip}" -e INSTALL_DASHBOARD=true puppet/kubetool:{$module-version}The above parameters are:
OS: The operating system Kubernetes runs on.VERSION: The version of Kubernetes to deploy. Must follow X.Y.Z format. (Check kubeadm regex rule for more information)CONTAINER_RUNTIME: The container runtime Kubernetes uses. Set this value todocker(officially supported) orcri_containerd. Advanced Kubernetes users can usecri_containerd, however this requires an increased understanding of Kubernetes, specifically when running applications in a HA cluster. To run a HA cluster and access your applications, an external load balancer is required in front of your cluster. Setting this up is beyond the scope of this module. For more information, see the Kubernetes documentation.CNI_PROVIDER: The CNI network to install. Set this value toweave,flannel,calicoorcilium.CNI_PROVIDER_VERSIONThe CNI version to use.calico,calico-tigera, andciliumproviders use this variable to reference the correct deployment file. Current versionciliumis1.4.3, calico is3.18, calico-tigera is3.26.0ETCD_INITIAL_CLUSTER: The server hostnames and IPs in the form ofhostname:ip. When in production, include three, five, or seven nodes for etcd.ETCD_IP: The IP each etcd member listens on. We recommend passing the fact for the interface to be used by the cluster.KUBE_API_ADVERTISE_ADDRESS: The IP each etcd/apiserver instance uses on each controller. We recommend passing the fact for the interface to be used by the cluster.INSTALL_DASHBOARD: A boolean which specifies whether to install the dashboard.KEY_SIZE: Number of bits in certificates (default:2048).
Kubetool creates:
-
A yaml file that corresponds to the operating system specified by the
OSparameter. To view the file contents, runcat Debian.yamlfor a Debian system, or runcat RedHat.yamlfor RedHat. The yaml files produced for each member of the etcd cluster contain certificate information to bootstrap an initial etcd cluster. Ensure these are also placed in your hieradata directory at the node level. -
A discovery token hash and encoded values required by Kubernetes. To regenerate the values, including certificates and tokens, run the
kubetoolcommand again.
Add the {$OS}.yaml file to the same control repo where your Hiera data is, usually the data directory. By leveraging location facts, such as the pp_datacenter trusted fact, each cluster can be allocated its own configuration.
If the below error is encounterd
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Class[Kubernetes]:
parameter 'api_server_count' expects an Integer value, got Undef
parameter 'token' expects a String value, got Undef
parameter 'discovery_token_hash' expects a String value, got Undef (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 138, column: 3) on node xxx.example.localIt means that hiera is not getting the values from the associated yaml files stored in the data folder so it sets some of the required values as Undefined.
Check your hiera.yaml file and ensure that it contains entries for {OS}.yaml and {$hostname}.yaml
hierarchy:
- name: "Family"
path: Debian.yaml
- name: "Host"
path: xxx.example.local.yaml After the {$OS}.yaml and {$hostname}.yaml files have been added to the Hiera directory on your Puppet server, configure your node as the controller or worker.
A controller node contains the control plane and etcd. In a production cluster, you should have three, five, or seven controllers. A worker node runs your applications. You can add as many worker nodes as Kubernetes can handle. For information about nodes in Kubernetes, see the Kubernetes documentation.
Note: A node cannot be a controller and a worker. It must be one or the other.
To make a node a controller, add the following code to the manifest:
class {'kubernetes':
controller => true,
}To make a node a worker, add the following code to the manifest:
class {'kubernetes':
worker => true,
}Kubernetes supports multiple networking plugins that implements the networking model.
This module supports following Container Network Interface (CNI) plugins:
flannel
kubernetes::cni_network_provider: https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml
kubernetes::cni_pod_cidr: 10.244.0.0/16
kubernetes::cni_provider: flannelweavecalico-nodecilium
kubernetes::cni_network_provider: https://raw.githubusercontent.com/cilium/cilium/1.4.3/examples/kubernetes/1.26/cilium.yaml
kubernetes::cni_pod_cidr: 10.244.0.0/16
kubernetes::cni_provider: ciliumCurrently, puppetlab-kubernetes is compatible with Ubuntu Xenial. For different OS, below parameters can be assigned.
For instance, installing kubernetes version 1.20.0 on Debian buster
# Docker repo and key as documented in
# https://docs.docker.com/install/linux/docker-ce/debian/
docker_apt_location => 'https://download.docker.com/linux/debian',
docker_apt_repos => 'stable',
docker_apt_release => 'buster',
docker_key_id => '9DC858229FC7DD38854AE2D88D81803C0EBFCD88',
docker_key_source => 'https://download.docker.com/linux/debian/gpg',
# Different available version can be found by apt-cache madison docker-ce
docker_version => '5:20.10.5~3-0~debian-buster',
docker_package_name => 'docker-ce',
# Kubernetes Version
kubernetes_version => '1.20.0',This module is compliant with the Puppet Development Kit (PDK), which provides tools to help run unit tests on the module and validate the modules's metadata, syntax, and style.
Note: To run static validations and
unit tests against this module using the pdk validate and pdk test unit commands, you must have Puppet 5 or higher installed. In the following examples we have specified Puppet 5.3.6.
To validate the metadata.json file, run the following command:
pdk validate metadata --puppet-version='5.3.6'To validate the Puppet code and syntax, run the following command:
pdk validate puppet --puppet-version='5.3.6'Note: The pdk validate ruby command ignores the excluded directories specified in the .rubocop.yml file. Therefore, to validate the Ruby code style and syntax you must specify the directory the code exists in.
In the following example we validate the Ruby code contained in the lib directory:
pdk validate ruby lib --puppet-version='5.3.6'To unit test the module, run the following command:
pdk test unit --puppet-version='5.3.6'- kubernetes
- kubernetes::cluster_roles
- kubernetes::config
- kubernetes::kube_addons
- kubernetes::packages
- kubernetes::repos
- kubernetes::service
- kubernetes::kubeadm_init
- kubernetes::kubeadm_join
The following parameters are available in the kubernetes class.
A string array of Subject Alternative Names for the API server certificates.
Defaults to [].
A string array of extra arguments passed to the API server.
Defaults to [].
A hash of extra volumes mounts mounted on the API server.
For example,
apiserver_extra_volumes => {
'volume-name' => {
hostPath => '/data',
mountPath => '/data',
readOnly: => 'false',
pathType: => 'DirectoryOrCreate'
},
}Defaults to {}.
The name of the cloud provider configured in /etc/kubernetes/cloud-config.
Note: This file is not managed within this module and must be present before bootstrapping the Kubernetes controller.
Defaults to undef.
The location of the cloud config file used by cloud_provider. For use with v1.12 and above.
Note: This file is not managed within this module and must be present before bootstrapping the Kubernetes controller.
Defaults to undef.
The URL to get the CNI providers yaml file. kube_tool sets this value.
Defaults to undef.
The download URL for the cni providers rbac rules. Only for use with Calico.
Defaults to undef.
Specifies the overlay (internal) network range to use. This value is set by kube_tool per CNI_PROVIDER.
Defaults to undef.
Specifies the runtime that the Kubernetes cluster uses.
Valid values are cri_containerd or docker.
Defaults to docker.
When set to true will cause the new proxy variables to be applied to the container runtime. Currently only implemented for Docker.
Valid values are true, false.
Defaults to false.
Specifies whether to set the node as a Kubernetes controller.
Valid values are true, false.
Defaults to false.
Specifies the version of the containerd runtime the module installs.
Defaults to 1.4.3.
The method used to install containerd. Either archive or package.
Defaults to archive.
The package name for containerd when containerd_install_method is package.
Defaults to containerd.io
The name of the containerd archive.
Defaults to containerd-${containerd_version}.linux-amd64.tar.gz.
The download URL for the containerd archive.
Defaults to https://github.com/containerd/containerd/releases/download/v${containerd_version}/${containerd_archive}.
The configuration for the image registries used by containerd.
See https://github.com/containerd/containerd/blob/master/docs/cri/registry.md
Defaults to {'docker.io' => {'mirrors' => {'endpoint' => 'https://registry-1.docker.io'}}}.
For example,
'containerd_plugins_registry' => {
'docker.io' => {
'mirrors' => {
'endpoint' => 'https://registry-1.docker.io'
},
},
'docker.private.example.com' => {
'mirrors' => {
'endpoint' => 'docker.private.example.com'
},
'tls' => {
'ca_file' => 'ca.pem',
'cert_file' => 'cert.pem',
'key_file' => 'key.pem',
'insecure_skip_verify' => true,
},
'auth' => {
'auth' => '1azhzLXVuaXQtdGVzdDpCQ0NwNWZUUXlyd3c1aUxoMXpEQXJnUT==',
},
},
'docker.private.example2.com' => {
'mirrors' => {
'endpoint' => 'docker.private.example2.com'
},
'tls' => {
'insecure_skip_verify' => true,
},
'auth' => {
'username' => 'user2',
'password' => 'secret2',
},
},
}The configuration for the image pause container.
Default registry.k8s.io/pause:3.2.
The path to containerd GRPC socket.
Default: /run/containerd/containerd.sock
The IP address and port for the controller the worker node joins. For example 172.17.10.101:6443.
Defaults to undef.
A string array of extra arguments passed to the controller manager.
Defaults to [].
A hash of extra volumes mounts mounted on the controller manager container.
For example,
controllermanager_extra_volumes => {
'volume-name' => {
hostPath => '/data',
mountPath => '/data',
readOnly: => 'false',
pathType: => 'DirectoryOrCreate'
},
}Defaults to {}.
A string array of extra arguments passed to the scheduler.
Defaults to [].
Specifies whether to install the upstream Kubernetes and Docker repos.
Valid values are true, false.
Defaults to true.
Specifies whether to turn off swap setting. This is required for kubeadm.
Valid values are true, false.
Defaults to true.
Specifies whether to manage the kernel modules needed for kubernetes
Valid values are true, false.
Defaults to true
Specifies whether to manage the the sysctl settings needed for kubernetes
Valid values are true, false.
Defaults to true
The string used to validate to the root CA public key when joining a cluster. This value is created by kubetool.
Defaults to undef.
The APT repo URL for the Docker packages.
Defaults to https://apt.dockerproject.org/repo.
The release name for the APT repo for the Docker packages.
Defaults to 'ubuntu-${::lsbdistcodename}'.
The repos to install from the Docker APT url.
Defaults to main.
Specifies the version of the Docker runtime to install.
Defaults to:
17.03.0.ce-1.el7.centoson RedHat.17.03.0~ce-0~ubuntu-xenialon Ubuntu.
The docker package name to download from an upstream repo.
Defaults to docker-engine.
The gpg key for the Docker APT repo.
Defaults to '58118E89F3A912897C070ADBF76221572C52609D'.
The URL for the Docker APT repo gpg key.
Defaults to https://apt.dockerproject.org/gpg.
The YUM repo URL for the Docker packages.
Defaults to https://download.docker.com/linux/centos/7/x86_64/stable.
The URL for the Docker yum repo gpg key.
Defaults to https://download.docker.com/linux/centos/gpg.
The storage driver for Docker (added to '/etc/docker/daemon.json')
Defaults to overlay2.
The storage options for Docker (Array added to '/etc/docker/daemon.json')
Defaults to undef.
Extra daemons options
Defaults to undef.
Specifies the version of etcd.
Defaults to 3.1.12.
Specifies the name of the etcd archive.
Defaults to etcd-v${etcd_version}-linux-amd64.tar.gz.
The download URL for the etcd archive.
Defaults to https://github.com/coreos/etcd/releases/download/v${etcd_version}/${etcd_archive}.
The method on how to install etcd. Can be either wget (using etcd_source) or package (using $etcd_package_name)
Defaults to wget.
The system package name for installing etcd
Defaults to etcd-server.
Specifies the name of the etcd instance.
A Hiera is kubernetes::etcd_hostname:"%{::fqdn}".
Defaults to $hostname.
Specifies the IP address etcd uses for communications.
A Hiera is kubernetes::etcd_ip:"%{networking.ip}".
Defaults to undef.
Informs etcd on how many nodes are in the cluster.
A Hiera example is kubernetes::etcd_initial_cluster: kube-control-plane:172.17.10.101,kube-replica-control-plane-01:172.17.10.210,kube-replica-control-plane-02:172.17.10.220.
Defaults to undef.
Informs etcd on the state of the cluster when starting. Useful for adding single nodes to a cluster. Allowed values are new or existing.
Defaults to new
Specifies how etcd lists the peers to connect to the cluster.
A Hiera example is kubernetes::etcd_peers:
- 172.17.10.101
- 172.17.10.102
- 172.17.10.103
Defaults to undef
The CA certificate key data for the etcd cluster. This value must be passed as string and not as a file.
Defaults to undef.
The CA certificate data for the etcd cluster. This value must be passed as string and not as a file.
Defaults to undef.
The client certificate key data for the etcd cluster. This value must be passed as string and not as a file.
Defaults to undef.
The client certificate data for the etcd cluster. This value must be passed as string not as a file.
Defaults to undef.
The server certificate key data for the etcd cluster. This value must be passed as string not as a file.
Defaults to undef.
The server certificate data for the etcd cluster . This value must be passed as string not as a file.
Defaults to undef.
The peer certificate data for the etcd cluster. This value must be passed as string not as a file.
Defaults to undef.
The peer certificate key data for the etcd cluster. This value must be passed as string not as a file.
Defaults to undef.
The string value to set for the HTTP_PROXY environment variable.
Defaults to undef.
The string value to set for the HTTPS_PROXY environment variable.
Defaults to undef.
The container registry to pull control plane images from.
Defaults to registry.k8s.io
Specifies whether the Kubernetes dashboard is installed.
Valid values are true, false.
Defaults to false.
The cluster's CA certificate. Must be passed as a string and not a file.
Defaults to undef.
The cluster's CA key. Must be passed as a string and not a file.
Defaults to undef.
The cluster's front-proxy CA certificate. Must be passed as a string and not a file.
Defaults to undef.
The cluster's front-proxy CA key. Must be passed as a string and not a file.
Defaults to undef.
The IP address you want exposed by the API server.
A Hiera example is kubernetes::kube_api_advertise_address:"%{networking.ip}".
Defaults to undef.
The version of the Kubernetes containers to install. Must follow X.Y.Z format.
Defaults to 1.10.2.
The version the Kubernetes OS packages to install, such as kubectl and kubelet.
Defaults to 1.10.2.
A hash containing extra configuration data to be serialised with to_yaml and appended to the config.yaml file used by kubeadm.
Defaults to {}.
A hash containing extra configuration data to be serialised with to_yaml and appended to Kubelet configuration file for the cluster. Requires DynamicKubeletConfig.
Defaults to {}.
A string array to be appended to kubeletExtraArgs in the Kubelet's nodeRegistration configuration. It is applied to both control-planes and nodes. Use this for critical Kubelet settings such as pod-infra-container-image which may be problematic to configure via kubelet_extra_config and DynamicKubeletConfig.
Defaults to [].
The APT repo URL for the Kubernetes packages.
Defaults to https://apt.kubernetes.io.
The release name for the APT repo for the Kubernetes packages.
Defaults to 'kubernetes-${::lsbdistcodename}'.
The repos to install using the Kubernetes APT URL.
Defaults to main.
The gpg key for the Kubernetes APT repo.
Defaults to '54A647F9048D5688D7DA2ABE6A030B21BA07F4FB'.
The URL for the APT repo gpg key.
Defaults to https://packages.cloud.google.com/apt/doc/apt-key.gpg.
When set to true will cause the new proxy variables to be applied to the Kubelet.
Valid values are true, false.
Defaults to false.
The YUM repo URL for the Kubernetes packages.
Defaults to https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64.
The URL for the Kubernetes yum repo gpg key.
Defaults to https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg.
Specifies whether to install Docker repositories and packages via this module.
Valid values are true, false.
Defaults to true.
Specifies whether to install an external Etcd via this module.
Valid values are true, false.
Defaults to true.
The string value to set for the NO_PROXY environment variable.
Defaults to undef.
An override to the label of a node.
Defaults to hostname.
Additional taints for node.
Defaults to undef.
For example,
[{'key' => 'dedicated','value' => 'NewNode','effect' => 'NoSchedule', 'operator', => 'Equal'}]About kubernetes taints https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
The download URL for runc.
Defaults to https://github.com/opencontainers/runc/releases/download/v${runc_version}/runc.amd64.
Specifies the version of runc to install.
Defaults to 1.0.0.
The key for the service account. This value must be a certificate value and not a file.
Defaults to undef.
The public key for the service account. This value must be a certificate value and not a file.
Defaults to undef.
Specifies whether to remove the control plane role and allow pod scheduling on controllers.
Valid values are true, false.
Defaults to false.
The IP address range for service VIPs.
Defaults to 10.96.0.0/12.
The string used to join nodes to the cluster. This value must be in the form of [a-z0-9]{6}.[a-z0-9]{16}.
Defaults to undef.
The duration before the bootstrap token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire
Defaults to 24h
Specifies whether to set the node as a Kubernetes worker.
Valid values are true, false.
Defaults to false.
This module supports:
- Puppet 4 or higher.
- Kubernetes 1.10.x or higher.
- Ruby 2.3.0 or higher.
This module has been tested on the following operating systems:
- RedHat 7.x.
- CentOS 7.x.
- Ubuntu 16.04
Docker is the supported container runtime for this module.
This codebase is licensed under the Apache2.0 licensing, however due to the nature of the codebase the open source dependencies may also use a combination of AGPL, BSD-2, BSD-3, GPL2.0, LGPL, MIT and MPL Licensing.
If you would like to contribute to this module, please follow the rules in the CONTRIBUTING.md. For more information, see our module contribution guide.
To run the acceptance tests you can use Puppet Litmus with the Vagrant provider by using the following commands:
# install rvm with and ruby >2.5
rvm install "ruby-2.5.1"
gem install bundler
bundler install
bundle exec rake 'litmus:provision_list[all_supported]'
bundle exec rake 'litmus:install_agent[puppet5]'
bundle exec rake 'litmus:install_module'
bundle exec rake 'litmus:acceptance:parallel'For more information about Litmus please see the wiki.
As currently Litmus does not allow memory size and cpu size parameters for the Vagrant provisioner task we recommend to manually update the Vagrantfile used by the provisioner and add at least the following specifications for the puppetlabs-kubernetes module acceptance tests:
Update Vagrantfile in the file: spec/fixtures/modules/provision/tasks/vagrant.rb
vf = <<-VF
Vagrant.configure(\"2\") do |config|
config.vm.box = '#{platform}'
config.vm.boot_timeout = 600
config.ssh.insert_key = false
config.vm.hostname = "testkube"
config.vm.provider "virtualbox" do |vb|
vb.memory = "2048"
vb.cpus = "2"
end
#{network}
#{synced_folder}
end
VF
In the examples folder you will find a bash script containg a few sample Puppet Bolt commands for the usage of the tasks. The example script is intended to be used with a Kubernetes API that requires the token authentication header, but the token parameter is optional by default.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent